Allow std::vector to set a list of allowed ciphers

earlephilhower · earlephilhower · commit af699f458099 · 2018-09-19T20:06:45.000-07:00
For C++ afficionados, allow std::vectors to be passed in to the setCipher()
routine.

The BearSSL object will now keep a copy of any set ciphers and free on object
destruction.  These custom lists should normally only be 1-4 entries long, so it
is not expected to be a memory hog having this extra copy.
diff --git a/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino b/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino
@@ -205,12 +205,18 @@ may make sense
   uint32_t now = millis();
   fetchURL(&client, host, port, path);
   uint32_t delta = millis() - now;
-  now = millis();
   client.setInsecure();
   client.setCiphersLessSecure();
+  now = millis();
   fetchURL(&client, host, port, path);
   uint32_t delta2 = millis() - now;
-  Serial.printf("Using more secure: %dms\nUsing less secure ciphers: %dms\n", delta, delta2);
+  std::vector<uint16_t> myCustomList = { BR_TLS_RSA_WITH_AES_256_CBC_SHA256, BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA };
+  client.setInsecure();
+  client.setCiphers(myCustomList);
+  now = millis();
+  fetchURL(&client, host, port, path);
+  uint32_t delta3 = millis() - now;
+  Serial.printf("Using more secure: %dms\nUsing less secure ciphers: %dms\nUsing custom cipher list: %dms\n", delta, delta2, delta3);
 }
 
 void setup() {
diff --git a/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp b/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp
@@ -103,6 +103,7 @@ WiFiClientSecure::~WiFiClientSecure() {
     _client->unref();
     _client = nullptr;
   }
+  free(_cipher_list);
   _freeSSL();
   _local_bearssl_stack = nullptr; // Potentially delete it if we're the last SSL object
   if (_deleteChainKeyTA) {
@@ -735,10 +736,24 @@ extern "C" {
 
 }
 
-// Set the faster ciphers as the only ones allowed
-void WiFiClientSecure::setCiphersLessSecure()
-{
-  setCiphers(faster_suites_P, sizeof(faster_suites_P)/sizeof(faster_suites_P[0]));
+// Set custom list of ciphers
+bool WiFiClientSecure::setCiphers(const uint16_t *cipherAry, int cipherCount) {
+  free(_cipher_list);
+  _cipher_list = (uint16_t *)malloc(cipherCount * sizeof(uint16_t));
+  if (!_cipher_list) {
+    return false;
+  }
+  memcpy_P(_cipher_list, cipherAry, cipherCount * sizeof(uint16_t));
+  _cipher_cnt = cipherCount;
+  return true;
+}
+
+bool WiFiClientSecure::setCiphersLessSecure() {
+  return setCiphers(faster_suites_P, sizeof(faster_suites_P)/sizeof(faster_suites_P[0]));
+}
+
+bool WiFiClientSecure::setCiphers(std::vector<uint16_t> list) {
+  return setCiphers(&list[0], list.size());
 }
 
 // Installs the appropriate X509 cert validation method for a client connection
@@ -804,9 +819,10 @@ bool WiFiClientSecure::_connectSSL(const char* hostName) {
 
   // If no cipher list yet set, use defaults
   if (_cipher_list == NULL) {
-    setCiphers(suites_P, sizeof(suites_P) / sizeof(uint16_t));
+    br_ssl_client_base_init(_sc.get(), suites_P, sizeof(suites_P) / sizeof(uint16_t));
+  } else {
+    br_ssl_client_base_init(_sc.get(), _cipher_list, _cipher_cnt);
   }
-  br_ssl_client_base_init(_sc.get(), _cipher_list, _cipher_cnt);
   // Only failure possible in the installation is OOM
   if (!_installClientX509Validator()) {
     _freeSSL();
diff --git a/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.h b/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.h
@@ -23,6 +23,7 @@
 
 #ifndef wificlientbearssl_h
 #define wificlientbearssl_h
+#include <vector>
 #include "WiFiClient.h"
 #include <bearssl/bearssl.h>
 #include "BearSSLHelpers.h"
@@ -106,8 +107,9 @@ class WiFiClientSecure : public WiFiClient {
 
     // Select specific ciphers (i.e. optimize for speed over security)
     // These may be in PROGMEM or RAM, either will run properly
-    void setCiphers(const uint16_t *cipherAry, int cipherCount) { _cipher_list = cipherAry; _cipher_cnt = cipherCount; }
-    void setCiphersLessSecure(); // Only use the limited set of RSA ciphers without EC
+    bool setCiphers(const uint16_t *cipherAry, int cipherCount);
+    bool setCiphers(std::vector<uint16_t> list);
+    bool setCiphersLessSecure(); // Only use the limited set of RSA ciphers without EC
 
     // Check for Maximum Fragment Length support for given len
     static bool probeMaxFragmentLength(IPAddress ip, uint16_t port, uint16_t len);
@@ -176,8 +178,8 @@ class WiFiClientSecure : public WiFiClient {
     unsigned _knownkey_usages;
 
     // Custom cipher list pointer or NULL if default
-    const uint16_t *_cipher_list;
-    uint16_t _cipher_cnt;
+    uint16_t *_cipher_list;
+    uint8_t _cipher_cnt;
 
     unsigned char *_recvapp_buf;
     size_t _recvapp_len;
